By Agata Kałwińska-Bęben, senior associate, Osborne Clarke Poland

OsborneClarke_pole

 

Studies show that a lead from a whistleblower is the most effective way to detect illegal, unsafe or fraudulent activities within organisations. The EU’s decision to oblige member states to adopt legislation protecting those who report abuse of rights is therefore not surprising. A whistleblower, by definition, is an individual acting in good faith, but in public opinion in Poland, as a post-communist country, reporting violations is often associated with a disloyal attitude. For this reason, among others, the Directive EU 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of EU law (the EU Directive) and its subsequent implementation have attracted interest here. This resulted in a long legislative process for the Polish law in this area. Indeed, it was repeatedly discussed and amended, and the process was only greatly accelerated when the European Court of Justice imposed a penalty on Poland for the delay.

The rushed implementation of the Act on the Protection of Whistleblowers in Poland of 14 June 2024 (the Act) has its consequences. The Act is not fully developed, some of its provisions are questionable or contain vague terms; some obligations in practice require disproportionate expenditure or do not fully correspond to business and corporate realities. Polish employers belonging to multinational groups and corporations face the most practical difficulties.

The Act requires that the person/unit responsible for receiving the notification and the person/unit responsible for following up the notification be identified in the procedure. This distinction is not accidental, since in the former case, receiving the notification can be carried out by an external entity (persons outside the entity such as law firms), and in the latter case, the persons/units indicated for follow-up should be internal or persons within the organisational structure of the entity.

“Within the organisational structure of a legal entity” means that the person must be a real presence in the organisation, performing duties within it, but does not mean that they have to be employed under an employment contract. Such an interpretation would eliminate the possibility of appointing, for example, an in-house lawyer employed on a B2B basis to this function.

The exclusion in the Act of the possibility to delegate follow-up functions to external entities has proved troublesome from the point of view of employers belonging to multinational groups. Most of these already had internal whistleblowing channels and procedures in place long before the Act – or even the EU Directive – came into force. It was logical for them to make use of these already functioning solutions; now comes the hard part.

The Act provides that private entities belonging to a capital group within the meaning of Article 4(14) of the Act on Competition and Consumer Protection of 16 February 2007 may establish a common procedure for internal notifications, provided that the activities performed comply with the Act. Unfortunately, when analysing the definition of a ‘capital group’ referred to here, one may come to the conclusion that it refers only to capital groups all of whose companies have their registered office in Poland. Secondly, although the EU Directive is common to EU countries, the way it is implemented across different jurisdictions sometimes differs.

The common procedure is problematic and questionable. At the very least, is it possible to use common notification channels at group level, with which staff are already familiar? In theory yes – again, in practice not so easy. The first problem is language. Notification channels at group level are often not available in Polish. And the Polish Language Act of 7 October 1999 establishes the requirement to use the Polish language when implementing labour legislation if the person providing the work is resident in Poland. But, if the group channel is handled by an international team or persons (from a non-Polish company and this is the situation most often), it will not be able to handle the notifications in Polish without the help of a translator or the involvement of someone from the Polish entity. Going further, although an external entity (such as a compliance team from another country operating a group reporting channel) may be authorised to receive notifications concerning a Polish employer, the Act indicates that the whistleblower has the right to request a direct meeting in order to submit the notification. Commentators on the Act agree that the epithet ‘direct’ implies an obligation to conduct a face-to-face meeting with the whistleblower. It therefore eliminates in practice the possibility of such a notification being received by entities located outside Poland. Holding meetings online may be considered to be in breach of the Act.

So – we have adopted a separate procedure for the Polish company, we have made the Polish version of the group reporting channel available, we have appointed a local person to receive direct notifications, is this the end of our problems? Unfortunately, no. The Act indicates specific obligations related to the protection of personal data processed in connection with the notification received and the deadlines regarding their retention. By choosing to delegate the task of receiving and recording notifications to an external entity, the Polish employer is still responsible for the proper application of the Act, as well as the obligations related to the protection of personal data. To what extent the Polish entity will be able to check whether unnecessary data has been deleted, who has access to it, etc, may prove difficult in practice.

This has resulted in some Polish employers belonging to international structures choosing, as a precaution, not only to adopt a separate procedure, but also to create separate internal notification channels in addition to those existing within the group.

In contrast to possible solutions for large employers with complex structures, the Act also raises questions for the smallest local entities. The general rule is that employers with at least 50 persons are required to implement the procedure. But companies in selected sectors, primarily financial, must apply the Act regardless of the number of people employed. The latter group includes, for example, accounting firms. The Act does not contain any exceptions, so literally speaking, even accounting offices that run a sole proprietorship and do not employ anyone should implement a whistleblower protection procedure. There are claims that implementing whistleblower protection in such a case contradicts the purpose of EU Directive, as we do not have persons who can report something “in a work-related context.” On the other hand, a whistleblower doesn’t have to be an employee, and could be, for example, a business partner. What’s more, it wasn’t that long ago that companies in the same sectors were subject to the obligation to implement anti money-laundering procedures, and then, too, there were no exceptions for the smallest entrepreneurs.

The legislature has made no mention of possible amendments to the Act for now, so employers are left to wait for the first official positions of the authorities, and those with less luck for the post-inspection recommendations of PIP, the state labour inspectorate.